Basic Concepts and Fundamentals of ACLs

An access control list (ACL) is a set of statements. Each statement consists of criteria and actions. Criteria define the conditions for the actions. Routers use ACLs to filter packets. When a packet enters or exits the router, the router checks the statements of the applied ACL in sequential order to find a match. If it finds a match, it executes the corresponding action. If not, it discards the packet. An ACL works only if you apply it to the correct interface in the proper direction. This tutorial explains the factors that affect ACL implementation.

Location

Access lists work on a per-interface basis. For example, if a router has two interfaces, you can apply two different access lists to both interfaces. An interface only uses its ACL to filter the traffic that passes through it. It cannot use the ACL applied to another interface. If you apply an ACL to an interface that does not process targeted traffic, it will not work. It acts as a sieve. Just as a sieve uses its mesh to filter out liquid or small particles from a mixture, an ACL uses its statements to filter out the desired packets. A sieve can filter the mixture only when it passes through it. Similarly, an ACL can filter traffic only when the traffic goes through it. Let us take an example. The following image shows a network.

This network consists of three segments connected by a router. Without an ACL, all segments can access each other. Suppose you want to prevent the Staff segment from accessing the Server segment. For this, you created an ACL and applied it to the F0/1 interface. The following image shows this implementation.

Will this ACL work?

No, instead of blocking the Staff segment, this ACL will block the Administrators segment. The F0/1 interface connects the Administrators segment to the Server segment. To access the Server segment, the traffic of the Staff segment neither enters nor exits from the F0/1 interface. Since the traffic of the Staff segment does not interact with the F0/1 interface, the ACL applied to the F0/1 interface does not affect it.

What is the correct location for this ACL?

You can apply this ACL to either the F0/0 interface or the F0/2 interface. The following image shows the correct implementation of the ACL.

When implementing an ACL on an interface, make sure that the interface interacts with the targeted traffic. If the targeted traffic does not pass through it, the ACL will not work.

Direction

When a router receives a packet on its interface, it reads the destination address of the packet and forwards the packet from the interface connected to the destination address. You can divide this process into three phases: entry, process, and exit. In the first phase, the packet enters the router. In the second phase, the router processes the packet. In the third phase, the packet exits the router.

You can configure an ACL before the first phase and the third phase. If you apply the ACL before the first phase, the router will use it to process the incoming packets. If you apply it before the third phase, the router will use it to process the outgoing packets. You cannot use an ACL before and after the second phase.

Inbound and Outbound ACLs

If you use an ACL to filter incoming traffic, it is called an inbound ACL. If you use it to filter outgoing traffic, it is called an outbound ACL. An inbound ACL cannot filter the outgoing traffic. Similarly, an outbound ACL cannot filter the incoming traffic.

You applied an outbound ACL to the F0/0 interface to prevent the Staff segment from accessing the Server segment. However, it does not stop the Staff segment from accessing the Server. The following image shows the new ACL implementation.

What's wrong with this implementation?

The F0/0 interface serves as the default gateway for the Staff segment. It receives traffic from the Staff segment and forwards it to the Server segment. The F0/0 interface acts as the entry point for the traffic. You applied an outbound ACL to filter the incoming traffic. The traffic of the Staff segment enters the F0/0 interface. It does not exist on the F0/0 interface. An outbound ACL cannot filter the incoming traffic. You can fix this problem in two ways. You can apply an inbound ACL to the F0/0 interface or an outbound ACL to the F0/2 interface. The following image shows the first solution.

Order

If an ACL is implemented, the router processes each packet through it. For every incoming packet, the router checks each entry of the access list from top to bottom until it finds a match. Once a match is found, it executes the corresponding action. It does not check the remaining entries for that packet. If an access list has multiple entries for the same packet, it executes the action of the first entry from the top.

To allow specific hosts from a network, add the allow statements first in the ACL. If you add an allow statement below the deny statement of the same criteria, the allow statement will never execute. Suppose you want to allow only the host 10.0.0.10/8 from the 10.0.0.0/8 network to access the Server segment. For this, you created the following ACL.

Deny all
Allow 10.0.0.10/8

You applied this ACL to the F0/0 interface in the inbound direction. Afterward, it blocks all traffic from the Staff section. Even though the host 10.0.0.10/8 has an allowed entry, it cannot access the Server segment.

Why is this ACL not working?

The following image shows this ACL implementation.

When the packets from the host 10.0.0.10 enter the F0/0 interface, the interface checks the applied ACL. The first statement of the ACL states "deny all incoming traffic." Since this criterion matches all incoming packets, the interface never checks the following statement for any incoming packet. It always executes the action of the first statement. Since the action of the first statement is the 'deny all', all incoming packets are denied. To resolve this issue, you can place the allowed statement before the deny statement. The correct ordering of statements is the following.

Allow 10.0.0.10/8
Deny all

The following image shows the implementation of the correct ACL.

Now, when packets from the host 10.0.0.10/8 enter the F0/0 interface, the interface will allow them. But if it receives packets from other hosts, it will discard them. When a packet enters the interface, the interface checks the ACL. The first statement of the ACL is for the host 10.0.0.10/8. The interface will check the source address of the packet. The source address of the packet is 10.0.0.10/8. The interface will execute the action of the first statement. The action of the first statement is 'allow'. Because of this, the packet will be allowed. If the source address of the packet is not 10.0.0.10/8, the interface will check the following statement. The following statement is 'deny all'. It will match all incoming packets. The action of the second statement is 'deny all'. Because of this, the packet will be discarded. Thus, apart from the packets of the host 10.0.0.10/8, all incoming packets will be discarded.

Conclusion

The implementation of ACLs requires careful consideration of location, direction, and order to ensure they function as intended. If they are applied incorrectly, they won't have any effect on the desired traffic flow. This tutorial explained the principles you need to create effective ACLs that enhance network security and ensure the appropriate flow of traffic between segments.